Advisory: Milesight UG67: Undocumented Default Password


The Milesight UG67 Outdoor LoRaWAN Gateway has an undocumented user account
'pyuser' with the guessable password 'ur123456'.


### Details

- Product: Milesight UG67 Outdoor LoRaWAN Gateway
- Affected Versions: 60.0.0.42-r5, likely others
- Fixed Versions: 60.0.0.44
- Vulnerability Type: Undocumented Default Password
- Security Risk: low
- Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67
- Vendor Status: fixed version released
- Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-002
- Advisory Status: published
- CVE: CVE-2024-47862
- CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47862


### Introduction

The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor
deployments.


### More Details

The Milesight UG67 Outdoor LoRaWAN Gateway has an undocumented user account
'pyuser' with a guessable password.


### Proof of Concept

Attackers with privileged access to a Milesight UG67 Outdoor LoRaWAN Gateway
are able to extract the file '/etc/shadow':

```
root:$1$LeEdx8s4$rHpvVnYk00euXq7yhilAy.:17415:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
admin:$1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:19643:0:99999:7:::
pyuser:$1$MD9B8mwI$QJiMcTT8uSUlqJ5oTZCQI/:17570:0:99999:7:::
ntp:x:0:0:99999:7:::
ggc_user:!:18369:0:99999:7:::
mosquitto:x:0:0:99999:7:::
postgres:x:0:0:99999:7:::
redis:x:0:0:99999:7:::
sshd:x:0:0:99999:7:::
```

While the default password for the user account 'root' is documented in the
system's manual and it is obviously wise to change it, the user account
'pyuser' is not mentioned there. Neither is the account 'pyuser' mentioned in
the web interface of the Milesight UG67 LoRaWAN Gateway. However it is easily
possible to find the password 'ur123456' using
[john](https://www.openwall.com/john/) or [hashcat](https://hashcat.net/hashcat/).

```
$ john shadow
Loaded 3 password hashes with 3 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
ur123456         (pyuser)
1g 0:00:16:05 2.40% 2/3 (ETA: 01:10:44) 0g/s 108442p/s 218023c/s
```

In contrast to the user account 'root', the account 'pyuser' only has a limited
shell enabling access to the gateway's text-based configuration system:

```
root@(none):/# grep pyuser /etc/passwd
pyuser:x:1001:1001::/home/pyuser:/usr/sbin/vtysh
```

This shell allows for example to read the configured WiFi password.


### Workaround

Use the documented 'root' account to login using SSH in order to change the
password for the 'pyuser' account, or disable the account completely. It might
be necessary to enable SSH access first - remember to disable SSH access again
after changing the account if this is the case.


### Fix

It should be examined how the 'pyuser' account is used. If it is only used
internally, the password and the login capability should be removed. If it is
to be provided externally, the necessity to change its password should be
documented and the ability to do so using the web interface should be provided.


### Security Risk

Attackers with SSH access to a Milesight UG67 Outdoor LoRaWAN Gateway are able
to log in to the account 'pyuser' using the undocumented password 'ur123456'.
The account 'pyuser' is configured to have a restricted menu-based configuration
system as login shell. Thus, the guessable password for 'pyuser' is considered
to pose a low risk on its own.

It is possible to circumvent this restricted shell, this is documented
and rated separately in
[rt-sa-2024-003](https://www.redteam-pentesting.de/advisories/rt-sa-2024-003).


### Timeline

- 2024-04-25 Vulnerability identified
- 2024-04-29 Customer approved disclosure to vendor
- 2024-05-14 Vendor notified
- 2024-06-28 asked Vendor for update
- 2024-07-03 Vendor will provide Update until end of July
- 2024-07-24 asked Vendor for update
- 2024-07-30 Vendor stated: Work in Progress
- 2024-08-09 Vendor stated: Fix expected Q3/24
- 2024-09-24 CVE ID requested
- 2024-09-24 asked Vendor for update
- 2024-09-24 Vendor stated: Fix in 60.0.0.44
- 2024-10-04 CVE ID assigned
- 2024-10-07 asked Vendor for update
- 2024-10-08 Vendor stated: Fix will be available mid-October
- 2024-10-18 asked Vendor for update
- 2024-10-21 Vendor stated: Fix will be available mid-November
- 2024-11-04 Vendor released fixed version for testing
- 2024-11-05 Vendor released fixed version
- 2024-12-10 Customer approved public release of vulnerabiltiy details
- 2024-12-10 Advisory released


### RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
<https://www.redteam-pentesting.de/>

### Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
<https://jobs.redteam-pentesting.de/>